The basic function provided by a cryptographic system (or cryptosystem) is encipherment/decipherment. A cryptosystem can be considered to consist of a pair of data transformations--the first transformation is applied to a data item, known as plaintext, and generates a new (unintelligible) data item called ciphertext. The other transformation, applied to ciphertext, results in the regeneration of the original plaintext. An encipherment transformation uses as input both the plaintext data and an independent data value known as an encipherment key. Similarly, a decipherment transformation uses a decipherment key. These keys are seemingly random bit-vectors. There are two basic types of cryptosystems--symmetric systems and public-key (or asymmetric) systems. The DES (U.S. Data Encryption Standard) is a symmetric cryptosystem in which the same key is used in the encipherment and decipherment transformation.
FIGS. 1 and 2 are algorithmic flow charts of the DES enciphering process. The DES algorithm employs a 56-bit key and operates on 64-bit blocks of data. Referring to FIG. 1, the encipherment process begins at an initial permutation 10 of a block of 64 bits of plaintext which is then divided into two 32-bit halves. One half (e.g. Right half R.sub.1 at the first round) is used as input to a key-dependent round function 12 (e.g. f.sub.1) which takes internal key K.sub.1 as a second input, and the result (e.g. R'.sub.1) is exclusive-ORed (XORed or summed modulo 2) 14 to the other half (e.g. Left half L.sub.1). After one such iteration, or round, the two halves of the data are swapped and the operation is performed again. After 16 rounds of computation, the output is put through a final permutation 16 to generate the ciphertext which is 64 bits long. The round function includes passes through eight nonlinear substitutions known as s-boxes and will be described in more detail in FIG. 2, in which the round function f.sub.i of the i-th round (i=1, 2, . . . , 16) is shown. The function takes two inputs, the right half R.sub.i of the block and an internal key K.sub.i, and generates an output R'.sub.i. The initial key is 56 bits long from which 48 bits are selected at each round according to a predetermined key schedule 20 to generate the internal key K.sub.i. The right half R.sub.i is first expanded at 22 from 32 bits to 48 bits and XORed 24 with the internal key K.sub.i. The result is divided into eight parts and is applied to eight different s-boxes 26. The s-boxes are nonlinear substitutions, mapping 6 input bits into 4 output bits. The eight outputs of the s-boxes are concatenated at 28 and then permuted at 30 to yield an output R'.sub.i 32 which will be XORed with the left half L.sub.i as shown in FIG. 1.
The decipherment process is of the same form as the encipherment process, except that the internal keys for the 16 rounds are in reverse order e.g. K.sub.16, K.sub.15, . . . K.sub.2 and K.sub.1.
The ciphertext displays no correlation to the plaintext. Every bit of the output depends upon every bit of the input and on every bit of the key. The security of DES depends primarily upon the non-linear s-boxes, since the remaining parts of the algorithm are all linear and thus easily attacked. It does not, however, depend on the secrecy of the algorithm, since the complete algorithm, including the contents of the s-boxes, is public knowledge.
The strength of DES has been a controversial issue and many attacks have been debated. In an article entitled "Differential Cryptanalysis of the Full 16-round DES" in Advances in Cryptology, Proceedings of CRYPTO '92, Springer-Verlag, pp 487-496, E. Biham and A. Shamir describe a cryptanalytic attack that can break DES using 2.sup.47 chosen plaintexts. Their differential cryptanalysis is based on the principle that when the XOR of two plaintexts is equal to a specific value, it is possible to perform a statistical attack on the key given the two plaintexts and their corresponding ciphertexts. The statistical attack is possible because the s-boxes, while nonlinear, generate a highly skewed distribution of XOR outputs for given XOR inputs. For example, S1 maps the XOR input of "30" hexadecimal to an XOR output of "4" with probability 1/4. Since the output of an s-box is 4-bits, an even distribution would map each input XOR into each output XOR with probability 1/16.
The relationship between s-box construction and immunity against Biham and Shamir's differential cryptanalysis of DES-like cryptosystems was discussed in the present inventor's article entitled "On immunity against Biham and Shamir's differential cryptanalysis", Information Processing Letters, vol. 41, Feb. 14, 1992, pp. 77-80. It was proporsed in the article that s-boxes with an even distribution of so-called "Output XORs" would be immune to this attack and it was proven that bent-function-based s-boxes are guaranteed to possess this flat distribution.
While it is known that a flat Output XOR distribution avoids differential cryptanalysis because it does not produce high-probability (highly skewed) Output XORs and bent-function-based s-boxes have the ideal Output XOR distribution, it is also known that such bent-function-based (m.times.n) s-boxes only exist for m.gtoreq.2n where m and n are the numbers of input and output bits, respectively, of the s-box. Any s-box with m&gt;n has more input vectors than output vectors and this indicates that there will be at least one case where two or more inputs are mapped to the same output, that is to say, one or more Input XORs have an Output XOR of zero. Therefore bent-function-based s-boxes for m&gt;n have a fixed, non-negligible probability of occurrence of Output XORs which may be exploited in cryptanalysis.
In Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography, Rome, Italy on Feb. 15-16, 1993, the present inventor, together with a co-author, describes s-box design in an article entitled "Designing S-boxes for Ciphers Resistant to Differential Cryptanalysis (Extended Abstract)", pp. 181-190. It is concluded in the article, based on the observation above, that s-boxes which have fewer input bits than output bits and which are partially bent-function-based may be a good basis for symmetric cryptosystems.
The paper entitled "Linear Cryptanalysis Method for DES Cipher" by M. Matsui in Advances in Cryptography: Proceedings of EUROCRYPT 93, Springer-Verlag, pp. 386-397, describes another attack on DES-like ciphers. However, where differential cryptanalysis requires 2.sup.47 chosen plaintexts, linear cryptanalysis (which relies on the construction of statistically useful linear approximations of the s-boxes in the round function) requires 2.sup.47 known plaintexts.
In a Workshop on Selected Areas in Cryptography (SAC '94) May 5 and 6, 1994 at Queen's University, Kingston, Ontario, Canada, the present inventor presented a paper entitled "Simple and Effective Key Scheduling for Symmetric Ciphers (Extended Abstract)". The paper describes substantially the basic concept of the present invention.